Tested on : ----------- LOTUS DOMINO 5.0.5 (french) and LOTUS DOMINO 5.0.8 (french) with http service running. OS : Windows NT 4.0 sp4 Description : ------------- With a particular craft URL, an anonymous users can lock the databases accesses. Result : Any notes users (even the administrators and the servers) can not access the targeted databases until the domino server will be restarted . Except the fact that this bug induce a DoS on the targeted bases, it can perform a DoS on the entire Domino server, if certainty bases are locked. In this case there is no way to stop the Domino server task. The computer need to be phisically reboot. This bug appears when the targeted database is not in-use by the server (so, names.nsf and admin4.nsf are not focused here) and requested through a web browser with the database name precess by a " /./ " in the requested URL. Note : --------------- We have warned Lotus on the 11/23/01, but we did not receive any answer from their part. Exploit : ---------- http://server_adress/directory/./base_name.nsf Example to lock the WEDADMIN.NSF database : http://server/./webadmin.nsf Example to lock the administrator mailbox : http://server/mail/./administrator.nsf Sébastien MICHAUD --- Olivier ALLAIRE I.T. Security engineer CONIX
This archive was generated by hypermail 2b30 : Sat Dec 08 2001 - 01:47:33 PST